topic Re: Error in 'search' command: Unable to parse the search: Right hand side of IN must be a collection of literals. in Splunk Search

Error in 'search' command: Unable to parse the search: Right hand side of IN must be a collection of literals.

TheBravoSierra — Thu, 28 Jan 2021 21:22:48 GMT

I'm trying to look for senders where they don't contain values from the lookup mimics.csv. Examples of values in the lookup is:

*google.com*

*yahoo.com*

I've already set WILDCARD(sender) in the definition.

Below is the search I'm trying to do:
index=test
| search sender IN [inputlookup mimics.csv]
| table _time,mid,src_ip,sender,subject,recipient

But I keep getting this error:
Error in 'search' command: Unable to parse the search: Right hand side of IN must be a collection of literals.'(sender = "*google.com*")' is not a literal.

Re: Error in 'search' command: Unable to parse the search: Right hand side of IN must be a collection of literals.

bowesmana — Thu, 28 Jan 2021 21:36:00 GMT

@TheBravoSierra

The WILDCARD attribute of a lookup applies to the use of the lookup command, not the inputlookup command, so that's not relevant here.

The IN part of search is

sender IN (a,b,c,d,e)

and would not apply to wildcarded phrases like you are trying to do.

Simple way to do what you are doing is

index=test [ | inputlookup mimics.csv | fields sender ] | table _time,mid,src_ip,sender,subject,recipient

although without knowing what you are trying to get from your lookup, I don't know if that will give you what you want.

Note that subsearches do not need an additional pipeline 'search' command, you can add them directly to the initial search as above.

One way to see what the subsearch is passing to the outer search is to do this

| inputlookup mimics.csv | fields sender | format

and you will see the return value coming from the subsearch that will be used as part of the search.

Re: Error in 'search' command: Unable to parse the search: Right hand side of IN must be a collection of literals.

TheBravoSierra — Thu, 28 Jan 2021 21:44:09 GMT

Sorry, I forgot to mention what I am trying to get. Index=test has senders that are like 123google.com google123.com. So I want to see the results where sender in index=test contains wildcard phrases from the the sender field in the lookup table.

Does that make sense? For example...

Senders in indext=test:

123google.com

google123.com

Wildcard sender phrases in lookup:

*google1* (would match
*2google* (would not match

Re: Error in 'search' command: Unable to parse the search: Right hand side of IN must be a collection of literals.

bowesmana — Thu, 28 Jan 2021 21:54:17 GMT

So, my reply above should do that. If you run the | inputlookup command on its own as shown, you will see how that is affecting the search. It will give you something like

( ( sender="*google1*" ) OR ( sender="*2google*" ))

so, from your index=test example data, the 'google123.com' event sender would match that search.